This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SMB: User Password Brute-force Attempt 40004

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SMB: User Password Brute-force Attempt 40004

sadams
Not applicable

‎04-25-2013 01:34 PM

Hello all.  I have a PA-5020 operating as our Layer 3 router between all of our VLAN's.  For the past month or so the ACC on the Palo shows SMB: User Password Brute-force Attempt (ID:40004) as the #1 entry in Threat Prevention section.  The attacker is our Antivirus (Kaspersky) Administration Server on VLAN 199 and the victim is a kiosk PC that isn't on our domain, just our network VLAN 202.  There are about 10 other kiosks and they don't get any threats from the AV server.  These kiosks are managed by another company and locked down pretty well.  I've tried using netstat /oan and keep running it but never see the traffic (maybe the firewall on the kiosk terminates the traffic too quickly for me to see any SYN_WAIT, etc.).  I do see a LOT of 445 connections off and on to other devices on our network, just none to that IP address.

I've scanned the server with the latest Kaspersky sigs and no malware is found.  I'm stumped as to what this may be, should I start a packet capture and see if that yields any clues?

2 people had this problem.
0 Likes Likes
3 REPLIES 3

scantwell
L4 Transporter

‎04-25-2013 01:48 PM

Well, if you feel this could be a false positive, and the FW is incorrectly recognizing traffic as Brute Force, you can create an IP exception rule in  your vulnerability profile. You can to the profile, then go to Exceptions, find the vulnerability number, and edit it, to ignore the signature when it sees traffic destined for that PC in VLAN 202.

0 Likes Likes

UhMayYeah
L5 Sessionator

‎04-26-2013 12:26 AM

Suggest updating the AV DB and App and Threat DB  to the latest version  ,if the issue continues .

Open a support case providing following explained in the following document:

https://live.paloaltonetworks.com/docs/DOC-2769

sadams
Not applicable

‎05-30-2013 09:03 AM

Thanks for the advise.  Just wanted to follow up on this, it looked like Kaspersky server was still trying to run some job against this IP address thinking it was a domain computer holding the IP address.  We made a dummy reservation in DHCP and forced the kiosk (non-domain) computer to get a new IP address and the threat stopped, it didn't follow the IP address.

  • 13654 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks